The latest Java patches to fix critical security flaws came out this week—but that wasn’t enough to persuade everyone that using Java is safe. On Wednesday Apple took the unusual step of using an OS X update to remove a Java plugin from all Mac-compatible Web browsers.

The ongoing problems had already led some security researchers to recommend that users disable Java, at least until specific flaws were patched. We’ve seen in comment threads that many Ars readers have disabled or uninstalled Java on their own computers, or at least disabled Java plugins for browsers.

The question “what is Java still good for?” is sometimes asked in mocking tones, but it shouldn’t be. Despite its flaws, Java has been a success for nearly two decades for good reasons, and all sorts of important applications and infrastructure still run on it. On desktops, applications like WebEx and Minecraft require Java.

Enterprise hardware and software vendors often write their administration tools in Java, so that they work consistently across different platforms. Conversely, IT departments mandate specific Java versions on users' desktops so that everyone can work with the required tools. Changing the version of Java on everyone's desktops requires extensive testing of Java-dependent applications before the company will upgrade to a new Java version—leaving users stuck for long periods of time with on an out-of-date, less-secure version of Java.

A company might end up with a confusing mess of different versions. One Ars reader who works for a 350,000-person company reported having “80 different versions of Java in our environment with over 135 security vulnerabilities among them… In a corporate environment, you have to test each new release of Java with your entire Java dependent application ecosystem.”

What we want to know

The Java question is thus both dependent on your needs at home and on your needs at work—which in this bring-your-own-device world are very much intertwined. With that in mind, here’s what we want to know. Do you run Java at home and/or at work? If you’ve considered disabling Java but decided against it, what were your reasons? What Java-based functionality are you not willing to give up? For those of you who have disabled Java, what made you take the plunge—and have you ever regretted your decision when encountering software that won't run without Java?

Our question is for desktops and laptops only—Java remains an integral part of various network appliances, server-based application infrastructure, and open source big data engines, as well as millions of feature phones running mobile Java apps. That isn’t going to change anytime soon, but the issue of whether to use Java on the desktop is very much in play.

We’re going to monitor the thread and return Monday with a recap of your most interesting comments. Have at it!

Promoted Comments

IT department here. What the bloody-jovial hell am I suppose to do with Java? Just yesterday I rejected a request to reinstall build 6 update 32, which the vendor of a particular application had advised, citing the hundreds of security vulnerabilities as my reasoning. It wouldn't have fixed the problem with the application, either, it's a NAT problem, but that's another story for another day.

Seriously though, what should I do with this trash? Users reject the UAC update prompts because they're all travelers, and they know their fellow travelers have picked up what I call 'DNS HIV' from accepting supposed java update prompts while on the hotel/airport WIFI, or some exploit servlet broadcasting with the same SSID as the legitimate hotel network, but that's another story for another day.

Every virus I've encountered, and 99% of the time they result in a chaotic wipe of the hard drive an a new standard image rolled out, but every single virus has either java or some Adobe product responding to a drive-by as the logical point of origin. The redirects to these drive-bys often come from e-mail, I've got the MX rejecting document/image/pdf files that test positive for embedded Java elements now but really, what should be done? I'm considering a multi-application central update management software, because exercising absolute control over only Microsoft updates has ceased making sense when Oracle and Adobe keep loading my stations with giant piles of dog shit that attract parasites. Forgive my frustration, I sound like Joe Biden at the debate over here.

I think I have a pretty interesting position, honestly. Even though I am a developer, I do not have Java installed on my development box or home computer. I DO have it installed on a few VMs running the continuous integration (totally awesome) combo of Jenkins + Sonar. But on my work machines and home machines, no.

At first, I ripped the whole thing off, even though I knew that it was the browser plugin that had the security plugin, but I hadn't used it in a year or two and the incredibly annoying "Update ME!" popups irked me. (not because of updating, but because if you update it automatically installs a browser toolbar even if you selected not to when you downloaded the application in the first place -- I had to uninstall it and then download and install from the website to be able to prevent the toolbar).

So I just took the whole thing off, more on a whim and a "well, I'll install the new version when I need it." Aaaand, I haven't needed it. Nothing I run needs even desktop Java, let alone the browser plugin (seriously, it has been almost a decade since I ran into a Java webapp.)

I'm frankly flabbergasted that I can completely and utterly avoid Java as a developer. I have it on my build server, and I think Java has a home there for a long, long time to come.

But not for my desktop/laptops.

P.S. Yes, I know you can kill the update request in Win 7. I had long before. It's just one of those pet peeves. It might not do that anymore, but I don't take the risk. That has been my update strategy for Java since 2008.

I work in a lab, and we use ImageJ (or better yet, FIJI) for scientific image analysis. Most image analysis of this type doesn't need a tremendous amount of horsepower, so the cross-platform nature of Java is very helpful here. ImageJ uses a plugin architecture, so it is easy to write specific plugins to perform specific methods and then share them.

As a developer I simply cannot get rid of Java. Period. Java is an important part of the corporate world, the development ecosystem and also because many schools (as well as independent instructors) use Java as an entry into programming due to it being easier for most to grasp as compared to C/C++, et al. Plus my wife and I are shameless Minecraft addicts.

231 Reader Comments

At work, I use Java 7 for WebEx and Abridean Provisor. We're in the process of switching to Citrix CloudPortal to replace Provisor, but that still leaves WebEx.

At home, I use Java 6 to manage my players' D&D characters in PCGen. Unfortunately, PCGen 5.16 requires 32-bit Java 6, and Oracle is not going to provide security updates for Java 6 without a support contract after February 2013. The 5.17 branch of PCGen isn't out of beta yet. We have tested it with each new release but found it to have too many bugs to be usable. This is leaving me to decide whether I want to run an unsupported (and unpatched) Java version as a portable application using something like Portable Apps or switch to an entirely different character management system at cost to both me and my players.

I have to use screensharing software that runs on Java for client meetings... Skype doesn't cut it because it doesn't integrate into Cisco and Cisco-like services. And yes, these would be in-browser Java plugins.

I remember last time I used Java at home to get into some IRC chat app, I got a nasty virus on my laptop. Ugh.

Yes at work. Some of our server applications are written in Java, and being able to run these applications cross-platform (Windows development workstation, Linux production server) is a big strength. We also use Java because it is a fairly mature language with a huge community. This has the nice side effect of providing us with great tools for automated testing (JUnit), continuous integration (Ant), and code profiling (JVisualVM).

Not saying other languages don't have equivalent features, but in general we tend to lean towards Java unless we're writing very specialized code. So there you go - one anecdotal data point

It is worth noting that Java as a desktop framework is not a big security risk. It is the browser plugin that presents a problem. Avoiding desktop Java on purpose does not make any sense. On the other hand every browser plugin you install on any browser increases the attack surface. Java does not have more vulnerabilities than Flash but Flash is more useful as a browser plugin because of its widespread use so people are willing to forgive its security flaws even then in practice they are more than Java's.

I ripped it out of the browser at home and at work after the first high profile attack. At work ~10% of my programming in the last year's been Java so I can't get rid of it there (and even if it did, IT's software distribution tool would probably just reinstall it for me).

I've got a java app running 24/7 on an old laptop computer at home that I use as a low power psuedo-server so I can't get rid of it entirely there either. While I've debated killing it entirely at home on my main machine since I only find myself using it once a twice a year for a random tool/utility; but unless attacks show up targeting non-browser java occur switching computers or starting a VM is more hassle than I really want to bother with.

Honestly questioning and not trolling, but isn't the main problem with the java vulnerabilities with the browser plugin? Disable the java browser plugins, and you've fixed 99% of the attack surface, right?

Yep, pretty much. There are still some issues if you have things like .jnlp files set to auto-launch (don't do this), but disabling the plugin will solve most of them.

Exactly. If you need it, you need it. If you don't, then don't install it in the first place. What is the point of this article's question? Refusing to touch a desktop app that requires Java even if you would find it useful is overreacting.

"Changing the version of Java on everyone's desktops requires extensive testing of Java-dependent applications before the company will upgrade to a new Java version—leaving users stuck for long periods of time with on an out-of-date, less-secure version of Java."

Why is this? Is compatibility between versions especially bad for Java? Does it tend to break applications during updates? If so, that's a fundamental problem with the platform. I know a certain amount of issues will be inevitable, but if they can't minimize it, time to switch to a better supported platform.

It's ok, though. In the future all these things will be HTML5. When there's an HTML5 exploit, you won't be able to turn that off! (Except by changing browsers.)

I tried to live without Java, but all sorts of programs that I didn't expect to break because they didn't have that characteristic terrible Swing GUI turned out to be using Java at least in some way and decided to break anyway. I'll need to do a more thorough cost/benefit analysis before deciding to remove those programs.

The browser plugin is quite useless though. I disabled it years ago. From time to time I encounter a small physics simulator (or something like that) that for some mysterious reason is a Java applet, but that's just too bad then.

for any Windows machine i use and like, Java does NOT go on it. this is mostly due the updater which i find annoying and obnoxious. In a vacuum it's probably not that bad, but years of it have become poisonous to me. I also have no particular love for Oracle, so their purchase and guidance of Sun/Java has made it even less appealing to me. (not trying to start a flame-war. I just don't like Oracle since dealing with lawyers and other undesirables in the late 90's when working out licensing and fees. I've seen no fundamental cultural shift there to make me think i would care for them any more today).

The risk of using Java seems huge to me. Unfortunately, there are so many applications that require that I truly use on a regular basis. For example, Air Video Server requires Java and that is what I use to stream movies from my PC to my iPhone and iPad. I try to mitigate it to a certain extent by disabling Java in my browsers and by completely removing it from my Macbook, but it really just appears to be a necessary evil for the time being. It's not just Java that we have to worry about though. Even Flash and Acrobat have had their fair share of issues. Obviously there are great alternatives to Acrobat, but like Java, Flash is also a necessary evil.

What does concern me though is the amount of uneducated computer users out there who do not perform regular software updates. I provide free tech support to non-English speaking people in my area, because it is a poor rural town with migrant workers who really do not have enough money to pay to Geek Squad or Office Depot (I also think these services take advantage of people, but that's a topic for another day). 100% of the computers that come to me are running outdated versions of Java and Acrobat. While I can't point to those as the cause for the infections on their PC's, it's a pretty safe bet.

These companies really need to start educating their users to update their software regularly and the risks in not doing so.

Another thing that really makes Java insecure, besides the amount of vulnerabilities that are currently out for it, is Oracle's patch cycle. Oracle only patches Java every 3 months, although they do say they will fix "critical issues" outside of that timeframe.

In my mind 3 months is way to long to let an exploit percolate through user's machines, not to mention critical corporate systems. If Oracle was serious about Java security, move it up to a monthly patch cycle at a minimum. It's not like Oracle can't afford to put resources into releasing patches faster.

Most plugins, IMO, slow down the browser. I have used either built-in tools or addons to block plugins, either Java or Flash, from running, unless I specifically allow it. So, I keep it there, but under lock and key, just in case I need it.

Can anyone tell me what exactly these "security risks" are for desktop java apps? And whether they're any worse than running any other desktop app?

I see a whole lot of people in this thread who obviously don't understand the difference between the JRE and the Java browser plugin, and Ars coverage of Java obviously hasn't helped.

Since the two of them are installed at the same time, you get to enjoy the risks of both when you install Java, even if you only intend to use desktop apps. Normal users are not going to know to disable the browser plugin.

Oracle could do everyone a favor if they split the two up or made the plugin a not-default install option.

I write Java Web Applications as my day job. For that, I need the JDK and JRE.

First thing I do after installing an updated version of Java is to disable the web browser components. I don't need them as everything I wrote is going to be executed on the server side and returned to clients as HTML.

At home, I uninstalled Java in response to the recent unpatched vulnerability and have not missed it at all. At the office, our staff access the local county clerk's document management system, which requires the Java browser plug-in to view or print documents. This is a daily occurrence and the alternative is to go there in person, wait in line, and pay for a printed copy of the document. In other words, we're stuck with it, like it or not.

The only application I'm aware of that I think is written in Java is GoTo Meeting. I don't think any other software relies on Java, and if it weren't for GoTo, I'd uninstall. In fact, this post has prompted me to contact their support and ask if Java is a requirement. If not, I'm going to ditch it.

Besides, I get annoyed that there are so many Java updates (security issue or not) and that they're always popping up in my system tray.

I first disabled Java in my web browser about eight years ago, and in all that time I've never noticed anything important not working because of this! The only website that complained to me by that time was a prehistoric site with a Java applet from the late 1990's, that I didn't actually need to use. I'm now looking for a good excuse to dump & block Java completely because security is paramount for me and I've lost confidence in the custodians of Java.

I use Java heavily at work because it has the killer combination of:* being good enough as a programming language* being cross-platform* having a great set of libraries* running fastNo other language sufficiently meets these criteria, which is why Java is the most popular language.

Work: still need to use it to run various internal web apps and some internal research desktop tools. And the occasional webex.

Home: I still have it installed, but I'm not really sure why. Websites historically, I think. With all the updates and vulnerabilities, I think it's time to give removing it a try and see if anything breaks.

I have Java both at work and home (for working at home)... solely for GoToMeeting. (They have a g2m_download.exe to work around the Java plugin being disabled, but I think it's a thin program to fetch the code and pass it to Java, rather than a full native implementation.)

I have actually disabled every single plugin in Firefox (my primary browser, natch) and set the start page to `about:plugins` so I can catch any sneaking in. Then I toggle Java on an as-needed basis to get into meetings.

Although I hate Java and the "PLEASE LET US STUFF YOU WITH THIS TOOLBAR" updater, I have to say the raft of languages running upon the JVM are nifty. I would probably keep Java, sans plugin, for Clojure and JRuby.

At home. I have an older application (dive computer data upload and online log) written in java for the Mac.There's a newer program that isn't, and I'm in the process of transitioning, but not to avoid java particularly. But there very well might not have been a replacement; the manufacturer's program for this was Windows-only, and is feature-poor, buggy, and crippled. It's not a big market; it's really somebody's hobby.

One of the few uses of Java anyone in our company has is web app with one of the major North American banks. This app requires an older version of Java and IE7 or older. So there is kind of a double-whammy of security risks there. The bank seems to have developed the app a few years ago and then forgotten about it. The problem isn't so much Java here as it is companies that can't be bothered to spend money to update their software with better and more secure tools.

Second, you can't seem to install or update Java in Windows without Oracle trying to push crapware onto your computer: Ask.com or some McAfee thing. It is easy to miss that check box in the frequent updates. This crapware may or may not be insecure in itself (though the McAfee thing can sometimes conflict with our own anti-virus software). But any software that you don't control can open the door to security risks.

Same here. Our company uses Juniper Network Connect and actually, I'm pretty happy with it: it works well, it's reliable and doesn't eat up too much CPU time either. Oh, and it works on both Windows and OS X (probably Linux too, not sure).

Can anyone tell me what exactly these "security risks" are for desktop java apps? And whether they're any worse than running any other desktop app?

I see a whole lot of people in this thread who obviously don't understand the difference between the JRE and the Java browser plugin, and Ars coverage of Java obviously hasn't helped.

Since the two of them are installed at the same time, you get to enjoy the risks of both when you install Java, even if you only intend to use desktop apps. Normal users are not going to know to disable the browser plugin.

Oracle could do everyone a favor if they split the two up or made the plugin a not-default install option.

That's an excellent idea. But it doesn't address the question, or the article, which is explicitly about desktop java apps.

I occasionally need libraries written in Java, so I can't quite get by without it on the desktop. I have no use for it in the browser whatsoever, though.

My girlfriend needs Java on the desktop because she uses a programming language built on the JVM. Occasionally, it's convenient to run the resulting simulations in the browser, but she decided that's not worth the security risks.